[BACK]Return to MESSAGE CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / pkgtools / pkg_install

File: [cvs.NetBSD.org] / pkgsrc / pkgtools / pkg_install / MESSAGE (download)

Revision 1.7, Mon Jan 9 07:01:33 2017 UTC (3 months, 2 weeks ago) by sevan
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1, HEAD
Changes since 1.6: +20 -22 lines

Update message to match the "Checking for security vulnerabilities in installed packages"
section in the pkgsrc guide.

===========================================================================
$NetBSD: MESSAGE,v 1.7 2017/01/09 07:01:33 sevan Exp $

You may wish to have the vulnerabilities file downloaded daily so that it
remains current. This may be done by adding an appropriate entry to the root
users crontab(5) entry. For example the entry

# Download vulnerabilities file
0 3 * * * ${PREFIX}/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
# Audit the installed packages and email results to root
9 3 * * * ${PREFIX}/sbin/pkg_admin audit |mail -s "Installed package audit result" \
	    root >/dev/null 2>&1
      
will update the vulnerability list every day at 3AM, followed by an audit at
3:09AM. The result of the audit are then emailed to root. On NetBSD this may be
accomplished instead by adding the following line to /etc/daily.conf:

fetch_pkg_vulnerabilities=YES
      
to fetch the vulnerability list from the daily security script. The system is
set to audit the packages by default but can be set explicitly, if desired (not
required), by adding the follwing line to /etc/security.conf:

check_pkg_vulnerabilities=YES
      
Both pkg_admin subcommands can be run as as an unprivileged user,
as long as the user chosen has permission to read the pkgdb and to write
the pkg-vulnerabilities to ${PKGVULNDIR}.

The behavior of pkg_admin and pkg_add can be customised with
pkg_install.conf.  Please see pkg_install.conf(5) for details.

If you want to use GPG signature verification you will need to install
GnuPG and set the path for GPG appropriately in your pkg_install.conf.
===========================================================================